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About This Document 


This document is Volume 6 of the OCTAVE-S Implementation Guide, a 10-volume handbook 
supporting the OCTAVE-S methodology. This volume provides worksheets to document 
data related to critical assets that are categorized as systems. 


The volumes in this handbook are 


Volume 1: Introduction to OCTAVE-S — This volume provides a basic description of 
OCTAVE-S and advice on how to use the guide. 


Volume 2: Preparation Guidelines — This volume contains background and guidance for 
preparing to conduct an OCTAVE S evaluation. 


Volume 3: Method Guidelines — This volume includes detailed guidance for each 
OCTAVESS activity. 


Volume 4: Organizational Information Workbook — This volume provides worksheets for 
all organizational-level information gathered and analyzed during OCTAVE-S. 


Volume 5: Critical Asset Workbook for Information — This volume provides worksheets 


~ to document data related to critical assets that are categorized as information. 


Volume 6: Critical Asset Workbook for Systems — This volume provides worksheets to 
document data related to critical assets that are categorized as systems. 


‘Volume 7: Critical Asset Workbook for Applications — This volume provides worksheets 


to document data related to critical assets that are categorized as applications. 


Volume 8: Critical Asset Workbook for People — This volume provides worksheets to 


document data related to critical assets that are categorized as people. 


Volume 9: Strategy and Plan Workbook — This volume provides worksheets to record the 
current and desired protection strategy and the risk mitigation plans. 


Volume 10: Example Scenario — This volume includes a detailed scenario illustrating a 
completed set of worksheets. 
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Abstract 


The Operationally Critical Threat, Asset, and Vulnerability Evaluation™ (OCTAVE®) 
approach defines a risk-based strategic assessment and planning technique for security. 
OCTAVE is a self-directed approach, meaning that people from an organization assume 
responsibility for setting the organization’s security strategy. OCTAVE-S is a variation of the 
approach tailored to the limited means and unique constraints typically found in small 
organizations (less than 100 people). OCTAVE-S is led by a small, interdisciplinary team 
(three to five people) of an organization’s personnel who gather and analyze information, 
producing a protection strategy and mitigation plans based on the organization’s unique 
operational security risks. To conduct OCTAVE-S effectively, the team must have broad 
knowledge of the organization’s business and security processes, so it will be able to conduct 
all activities by itself. 
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OCTAVE-S V1.0 | . Seteodaction 


1 Introduction 


This document contains the Operationally Critical Threat, Asset, and Vulnerability Evaluation™ 
(OCTAVE®)-S worksheets related to critical assets that are systems. The activities related to these 
worksheets are focused on analyzing a critical asset. 


Table 1 provides a brief introduction to the contents of this workbook, using activity step numbers 
as a key. For more details about how to complete each step, refer to the OCTAVE ®.§ Method 
Guidelines, which can be found in Volume 3 of the OCTAVE®-S Implementation Guide. 


Table 1: Worksheets Provided in This Workbook 


Start a Critical Asset Information | Critical Asset | Phase 1 
worksheet for each critical asset. Information Process $2 
Record the name of the critical 

asset on its Critical Asset S2.1 Select Critical Assets 
Information worksheet. 


Phase 1 
Process S2 
$2.1 Select Critical Assets 
Phase 1 
Process S2 
S2.1 Select Critical Assets 


Critical Asset 
Information 


Record your rationale for 
selecting each critical asset on 
that asset’s Critical Asset 

Information worksheet. 


Critical Asset 
Information 


Record a description for each 
critical asset on that asset’s 
Critical Asset Selection 
worksheet. Consider who uses 
each critical asset as well as who 
is responsible for it. 


Phase 1 
Process $2 
S2.1 Select Critical Assets 


Critical Asset 
Information 


Record assets that are related to 
each critical asset on that asset’s 
Critical Asset Information 
worksheet. Refer to the Asset 
Identification worksheet to 
determine which assets are related 
to each critical asset. 


SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon 
University. 

® OCTAVE is registered in the United States Patent and Trademark Office by Carnegie Mellon 
University. 
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Table 1: Worksheets Provided in This Workbook (cont.) 


(Season at Taig Pa 


Critical Avcat Phase 1 


Record the security requirements 
for each critical asset on that 

asset’s Critical Asset Information 
worksheet. 


Information 
Process S2_ . 


S2.1 Select Critical Assets 
Phase 1 
Process S2 

§2.1 Select Critical Assets 


Critical Asset 
Information 


For each critical asset, record the 
most important security 
requirement on that asset’s 
Critical Asset Information 
worksheet. 


Phase 1 
Process S2 


S2.1 Identify Threats to 
Critical Assets 


Risk Profile 


Threat 
Translation 
Guide 


Risk Profile 


Risk Profile 
Risk Profile 


Risk Profile 


Complete all appropriate threat 
trees for each critical asset. Mark 
each branch of each tree for 
which there is a non-negligible 
possibility of a threat to the asset. 


If you have difficulty interpreting 
a threat on any threat tree, review 
the description and examples of 

that threat in the Threat 
Translation Guide. 


Phase 1 9-54 
Process $2 


S2.1 Identify Threats to 
Critical Assets 


Phase 1 
Process $2 


S2.1 Identify Threats to 
Critical Assets 


Record specific examples of 
threat actors on the Risk Profile 
worksheet for each applicable 
actor-motive combination. 


Record the strength of the motive 
for deliberate threats due to 
human actors. Also record how 
confident you are in your estimate 
of the strength of the actor’s 
motive. 


Phase 1 
Process S2 


S2.1 Identify Threats to 
Critical Assets 


Phase | 
Process $2 


S2.1 Identify Threats to 
Critical Assets 


Record how often each threat has 
occurred in the past. Also record 
how accurate you believe your 

data are. 


Record areas of concern for each 9-54 
source of threat where . 
appropriate. An area of concern is 
a scenario defining how specific 
threats could affect the critical 


asset. 
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Table 1: Worksheets Provided in This Workbook (cont.) 


[Sep [Deerpton = Wonka [.astvy Paes 
Step 17 


Select the system of interest for | Network Phase 2 | 55-58 
each critical asset (i.e., the Access Paths 
Step 18a 55-58 
Step 18b 


system most closely related to 
the critical asset). 
Phase 2 55-58 
Process $3 
S3.1 Examine Access Paths 
Step 18c Phase 2 55-58 
Process $3 | 
$3.1 Examine Access Paths 
Step 18d 


Phase 2 55-58 
Process $3 
Step 18e 55-58 


S3.1 Examine Access Paths 
tt 


Phase 2 
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S3.1 Examine Access Paths 
Phase 2 


Process $3 


Network 
Access Paths 


Review paths used to access 
each critical asset, and select key 
classes of components related to 
each critical asset. 


S3.1 Examine Access Paths 


Determine which classes of 
components are part of the 
system of interest. 


Network 
Access Paths 


Determine which classes of 
components serve as 
intermediate access points (1.e., 
which components are used to 
transmit information and 
applications from the system of 
interest to people). 


Network 
Access Paths 


Determine which classes of 
components, both internal and 
external to the organization’s 
networks, are used by people 
(e.g., users, attackers) to access 
the system. 


Network 
Access Paths 


Determine where information 
from the system of interest is 
stored for backup purposes. 


Network 
Access Paths 


Determine which other systems 
access information or 
applications from the system of 
interest and which other classes 
of components can be used to 
access critical information or 
services from the system of 
interest. 


Process $3 


S3.1 Examine Access Paths 


Introduction | OCTAVE-S V1.0 


Table 1: Worksheets Provided in This Workbook (cont.) 


Using the impact evaluation Risk Profile Phase 3 
criteria as a guide, assign an — 
: Impact 
impact value (high, medium, or 
: Evaluation 

low) for each active threat to Sok 

se Criteria 
each critical asset. 


9-54 


Process $4 


S4.1 Evaluate Impacts of 
Threats 


Phase 3 
Process $4 


$4.3 Evaluate Probabilities of 
Threats 


Risk Profile 


Probability 
Evaluation 
Criteria 


Using the probability evaluation 
criteria as a guide, assign a 
probability value (high, medium, 
or low) for each active threat to 
each critical asset. Document 
your confidence level in your 
probability estimate. 


Phase 3 
Process S5 


S5.2 Select Mitigation 
Approaches 


Risk Profile 


Security 
Practices 


Transfer the stoplight status for 
each security practice area from 
the Security Practices worksheet 
to the “Security Practice Areas” 
section (Step 26) of each critical 
asset’s Risk Profile worksheet. 


Phase 3 
Process S5 


$5.2 Select Mitigation 
Approaches 


Select a mitigation approach 
(mitigate, defer, accept) for each 
active risk. 


Risk Profile 


For each risk that you decided to 
mitigate, circle one or more 
security practice areas for which 
you intend to implement 
mitigation activities. 


a Une 
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2 Critical Asset Information Worksheet for 
Systems 


Phase 1 


Process $2 


Activity S2.1 


Start a Critical Asset Information worksheet for each critical asset. Record the name of the 
critical asset on its Critical Asset Information worksheet. 


Record your rationale for selecting each critical asset on that asset’s Critical Asset 
Information worksheet. 


Record a description for each critical asset on that asset’s Critical Asset Selection worksheet. 
Consider who uses each critical asset as well as who is responsible for it. 


Record assets that are related to each critical asset on that asset’s Critical Asset Information 
worksheet. Refer to the Asset Identification worksheet to determine which assets are related 
to each critical asset. 


Phase | 
Process S2 


Activity S2.2 


For each critical asset, record the most important security requirement on that asset’s 
Critical Asset Information worksheet. | 


Record the security requirements for each critical asset on that asset’s Critical Asset 
Information worksheet. 
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Step 6 Step 7 


Critical Asset Rationale for Selection 


What is the critical system? Why is this system critical to the organization? 


Step 9 


Related Assets 


Which assets are related to this system? 


Information: Applications: 


Other: 
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Step 8 


‘ Description 
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Who uses the system? 


Critical Asset Information Worksheet: Systems 


Who is responsible for the system? 


Step 10 Step 11 
! Security Requirements Most Important Security 
Requirement 
! What are the security requirements for this system? Which security requirement 
tees ; . nor hi 
| (Hint: Focus on what the security requirements should be for this system, not what they currently are.) er BELO EMS 
‘ {} Confidentiality | Only authorized personnel can view information on L) Confidentiality 
() Integrity 
‘ C) Integrity Only authorized personnel can modify information on C} Availability 
() Other 
} Q) Availability must be available for personnel to perform their jobs. 
Unavailability cannot exceed hour(s) per every hours. 
‘(> Other 
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3 Risk Profile Worksheet for Systems - 
Human Actors Using Network Access 


Phase | 


Process S2 


Activity $2.3 


Complete the threat tree for human actors using network access. Mark each branch of each 
tree for which there is a non-negligible possibility of a threat to the asset. 


If you have difficulty interpreting a threat on the threat tree, review the description and 
examples of that threat in the Threat Translation Guide (see pp. 60-63 of this workbook). 


Record specific examples of threat actors on the Risk Profile worksheet for each applicable 
actor-motive combination. 


Record how often each threat has occurred in the past. Also record how accurate you believe 
your data are. 


Record areas of concern for each source of threat where appropriate. An area of concern is a 
scenario defining how specific threats could affect the critical asset. 


Record the strength of the motive for deliberate threats due to human actors. Also record 
how confident you are in your estimate of the strength of the actor’s motive. 


continued 


a i a 
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Phase 3 


Process S4 


Activity S4.1 


Using the impact evaluation criteria as a guide, assign an impact value (high, medium, or 
low) to each active threat. 


Phase 3 


Process S4 


Activity $4.3 


Using the probability evaluation criteria as a guide, assign a probability value (high, 
medium, or low) to each active threat. Document your confidence level in your probability — 
estimate. 


Phase 3 


Process SS 


Activity S3.2 


Transfer the stoplight status for each security practice area from the Security Practices 
‘ worksheet to the “Security Practice Areas” section (Step 26) of the following worksheet. 


Select a mitigation approach (mitigate, defer, accept) for each active risk. 


For each risk that you decided to mitigate, circle one or more security practice areas for 
which you intend to implement mitigation activities. 


ee a a eer nr eEEEEEEE 
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Human Actors Using Network Access Basic Risk Profile 


Step 12 


Step 22 


Threat Impact Values 
For which branches is there a non-negligible possibility of a threat to What is the potential impact on the 
the asset? Mark these branches on the tree. organization in each applicable area? 


For which of the remaining branches is there a negligible possibility or 
no possibility of a threat to the asset? Do not mark these branches. 


Asset Access Actor Motive Outcome 


Reputation 
Financial 
Productivity 
Fines 

Safety 
Other 


: cm omit ent epee sme nace 


| ; | 

: 
t 

1 


network 
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pose m eee 
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Basic Risk Profile Human Actors Using Network Access 


Step 24 | Step 26 Step 27 
Probability Security Practice Areas Approach 
| How likely is the threat to What is the stoplight status for each security practice area? What is your 
| occur in the future? How approach for 
' confident are you in your addressing 
each risk? 


« estimate? 
‘ 


Value § Confidence Strategic pccataa 
3 | 7 528 4 ee 

3 ep * & E ea Bo z A 

‘ a d ; | 

' = f ~ nd Ss 5 0 € - a " § : > 

; ~~ = = & & & a 2*§ 35 2 EEE ¢ 

2 =< as § &» #2 S & 265 Sg eee s 

: ; < oo Gam = 2 @ % Bes » 3 a. & 
3 e ‘2 i] wa ss 
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Human Actors Using Network Access Threat Context 


Step 13 


Threat Actors 


Which actors pose the biggest threats to this 
system via the network? 


disclosure Insiders acting accidentally: 


owe ues awe ee 6 ee © oe © oe ee 


accidental 


oe ee ee ee ew ee Se oe ee ee ee ol ee ee oe 


—oemeew +m Rae am © iy eH om oo © 


Insiders acting deliberately: 


deliberate 
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network 
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Outsiders acting accidentally: 


ow te ae oe ee ee ee 


1 
accidental modification 


ome we ie ee Fe oe ew oe ee ee oe 


loss, destruction 


, outside 


reas aia 


interruption 
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Outsiders acting deliberately: 
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Threat Context 
Step I4 


Human Actors Using Network Access 


Step 15 


How often has this threat 
occurred in the past? 


How accurate 
are the data? 


How strong is How confident 
the actor's are you in this 
motive? estimate? 


Not At All 


Sed 
3 
= 
= 
o 
= 
~] 
+ a 


High 

ium 
Low 
Very 
Somewhat 
Not At All 


times in years 


times in years 


times in years 


A . 
5 4 


times in years 


times in ____ year 
dimes in ___years 
mes in ___ year 
—__ times in ___years 


times in years 
times in years 
times in years 
____ times in years 
times in years 
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Step 16 


Human Actors Using Network Access | | | Areas of Concern 
Insiders Using Network Access 


Give examples of how 

insiders acting accidentally 
could use network access to 
threaten this system. 


Give examples of how 
insiders acting deliberately 
could use network access to 
threaten this system. 


Outsiders Using Network Access 


Give examples of how 
outsiders acting accidentally 
could use network access to 

threaten this system. 


eet eeee ee eee eee wef ewr en wwe e “see eo ee eee waew ewe eee eeaeanwreenreceeecnece eee ee 


Give examples of how 
outsiders acting deliberately 
could use network access to 

threaten this system. 
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Areas of Concern 


Insiders Using Network Access 
Outsiders Using Network Access 


———e eo eo oe se meeenuwuetre se oe wwe ree eee amo ce aie ces ee enw ewe weed wee wee ewe meee em bee eee see ene eee dosseeseressasaaboaseewoneewe cca woaonerneeeeeeooroeoroeooe 


17 


CMU/SEI-2003-HB-003 Volume 6 


OCTAVE:S V1.0 


nn 
18 CMU/SEI-2003-HB-003 Volume 6 


OCTAVE-S V1.0 Risk Profile Worksheet for Systems: Physical Access 


4 Risk Profile Worksheet for Systems - 
Human Actors Using Physical Access 


Phase l 


Process S82 


Activity $2.3 


Complete the threat tree for human actors using physical access. Mark each branch of each 
tree for which there is a non-negligible possibility of a threat to the asset. 


If you have difficulty interpreting a threat on the threat tree, review the description and 
examples of that threat in the Threat Translation Guide (see pp. 64-67 of this workbook). 


Record specific examples of threat actors on the Risk Profile worksheet for each applicable 
actor-motive combination. . 


Record the strength of the motive for deliberate threats due to human actors. Also record 
how confident you are in your estimate of the strength of the actor’s motive. 


Record how often each threat has occurred in the past. Also record how accurate you believe 
your data are. 


Record areas of concern for each source of threat where appropriate. An area of concern is a 
scenario defining how specific threats could affect the critical asset. 


continued 
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Phase 3 


Process $4 


Activity S4.1 


Step 22 Using the impact evaluation criteria as a guide, assign an impact value (high, medium, or 
low) to each active threat. 


Phase 3 


Process $4 


Activity $4.3 


Using the probability evaluation criteria as a guide, assign a probability value (high, 
medium, or low) to each active threat. Document your confidence level in your probability 
estimate. 


Phase 3 


Process 85 


Activity $5.2 


Transfer the stoplight status for each security practice area from the Security Practices 
worksheet to the “Security Practice Areas” section (Step 26) of the following worksheet. 


Select a mitigation approach (mitigate, defer, accept) for each active risk. 


For each risk that you decided to mitigate, circle one or more security practice areas for 
which you intend to implement mitigation activities. 
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Human Actors Using Physical Access Basic Risk Profile 


Step 12 Step 22 
Threat Impact Values 
For which branches is there a non-negligible possibility of a threat to What is the potential impact on the 
the asset? Mark these branches on the tree. organization in each applicable area? 


For which of the remaining branches is there a negligible possibility or 
no possibility of a threat to the asset? Do not mark these branches. 


Asset Access Actor Motive Outcome 
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Basic Risk Profile 


Step 24 


Probability 


How likely is the threat to 
occur in the future? How 


confident are you 
estimate ? 
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in your 


Value Confidence 
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Somewhat 
Not At All 


Risk Profile Worksheet for Systems: Physical Access 


Human Actors Using Physical Access 


Step 26 


Security Practice Areas 


What is the stoplight status for each security practice area? 


Strategic Operational 
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13. Encryption 


14. Sec Arch & Des 


15. Incident Mgmt 


Step 27 


Approach 


What is your 
approach for 
addressing 
each risk? 


Accept 
Mitigate 
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Defer 
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Human Actors Using Physical Access Threat Context 


Step 13 


Threat Actors 


Which actors pose the biggest threats to this 
system via physical means? 
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Risk Profile Worksheet for Systems: Physical Access 


Threat Context 
Step I4 


iors 


How often has this threat 
occurred in the past? 


Human Actors Using Physical Access 


Step 15 


How accurate 
are the data? 


How strong is How confident 


are you in this 
estimate? 
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Step 16 


Human Actors Using Physical Access Areas of Concern 
Insiders Using Physical Access 


Give examples of how 

insiders acting accidentally 
could use physical access to 
threaten this system. 


Give examples of how 
insiders acting deliberately 
could use physical access to 
threaten this system. 


Outsiders Using Physical Access 


Give examples of how 
outsiders acting accidentally 
could use physical access to 
threaten this system. 


Give examples of how 
outsiders acting deliberately 
could use physical access to 
threaten this system. 
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Areas of Concern 


Insiders Using Physical Access 


Outsiders Using Physical Accéss 
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5 Risk Profile Worksheet for Systems - 
System Problems 


Phase I 


Process S2 


Activity $2.3 
Complete the threat tree for system problems. Mark each branch of each tree for which there 


is a non-negligible possibility of a threat to the asset. 


If you have difficulty interpreting a threat on the threat tree, review the description and 
examples of that threat in the Threat Translation Guide (see pp. 68-71 of this workbook). 


Record how often each threat has occurred in the past. Also record how accurate you believe 
your data are. 


Record areas of concern for each source of threat where appropriate. An area of concern is a 
scenario defining how specific threats could affect the critical asset. 


continued 
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Risk Profile Worksheet for Systems: System Problems OCTAVE V1.0 


Phase 3 


Process S4 


Activity S4.1 


Step 22 Using the impact evaluation‘criteria as a guide, assign an impact value (high, medium, or 
low) to each active threat. 


Phase 3 


Process $4 


Activity S4.3 


Step 24 Using the probability evaluation criteria as a guide, assign a probability value (high, 
medium, or low) to each active threat. Document your confidence level in your probability 
estimate. 


Phase 3 


Process $5 


Activity $5.2 


Transfer the stoplight status for each security practice area from the Security Practices 
worksheet to the “Security Practice Areas” section (Step 26) of the following worksheet. 


Select a mitigation approach (mitigate, defer, accept) for each active risk. 


For each risk that you decided to mitigate, circle one or more security practice areas for 
which you intend to implement mitigation activities. 
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| System Problems Basic Risk Profile 


Step 12 Step 22 
Threat Impact Values 
For which branches is there a non-negligible possibility of a threat to What is the potential impact on the 
the asset? Mark these branches on the tree. organization in each applicable area? 


For which of the remaining branches is there a negligible possibility or 
no possibility of a threat to the asset? Do not mark these branches. 


Asset Actor Outcome 
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Basic Risk Profile System Problems 


Step 27 


Step 24 Step 26 


Probability Security Practice Areas Approach 
| How likely is the threat to What is the stoplight status for each security practice area? What is your 
‘ occur in the future? How approach for 
‘ confident are you in your addressing 
« estimate? | each risk? 
| Value Confidence Strategic Operational 
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System Problems Threat Context 


How accurate 
are the data? 


How often has this threat 
occurred in the past? 
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Risk Profile Worksheet for Systems: System Problem 


Threat Context System Problems 


What additional notes about each threat do you want to record? 
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Step 16 


System Problems | Areas of Concern 
Software Defects 


Give examples of how 
software defects could 
threaten this system. 


System Crashes 


Give examples of how system 
crashes could threaten this 
system. 


Hardware Defects 


Give examples of how 
hardware defects could 
threaten this system. 


Malicious Code 


Give examples of how 
malicious code could threaten 
this system. (Consider 
viruses, worms, Trojan 
horses, back doors, others) 
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Areas of Concern 


Software Defects 
System Crashes 
Hardware Defects 
Malicious Code 
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6 Risk Profile Worksheet for Systems - Other 
Problems 


Phase I 


Process S2 


Activity S2.3 
Complete the threat tree for other problems. Mark each branch of each tree for which there 


is a non-negligible possibility of a threat to the asset. 


If you have difficulty interpreting a threat on the threat tree, review the description and 
examples of that threat in the Threat Translation Guide (see pp. 72-77 of this workbook). 


Record how often each threat has occurred in the past. Also record how accurate you believe 
your data are. 


Record areas of concern for each source of threat where appropriate. An area of concern is a 
scenario defining how specific threats could affect the critical asset. 


continued 
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Phase 3 


Process S4 


Activity S4.1 


Using the impact evaluation criteria as a guide, assign an impact value (high, medium, or 
low) to each active threat. 


Phase 3 


Process S4 


Activity $4.3 


Using the probability evaluation criteria as a guide, assign a probability value (high, 
medium, or low) to each active threat. Document your confidence level in your probability 


estimate. 


Phase 3 


Process S5 


Activity S5.2 


Transfer the stoplight status for each security practice area from the Security Practices 
worksheet to the “Security Practice Areas” section (Step 26) of the following worksheet. 


Select a mitigation approach (mitigate, defer, accept) for each active risk. 


For each risk that you decided to mitigate, circle one or more security practice areas for 
which you intend to implement mitigation activities. 
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Other Problems Basic Risk Profile 


Step [2 | Step 22 
Threat Impact Values 
For which branches is there a non-negligible possibility of a threat to What is the potential impact on the 
the asset? Mark these branches on the tree. organization in each applicable area? 


For which of the remaining branches is there a negligible possibility or 
no possibility of a threat to the asset? Do not mark these branches. 


Asset Actor Outcome 
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Basic Risk Profile Other Problems 


Step 24 


Step 26 Step 27 


Probability Security Practice Areas : | Approach 
How likely is the threat to What is the stoplight status for each security practice area? What is your 
occur in the future? How approach for 
confident are you in your addressing 
estimate ? each risk? 
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Other Problems 


Threat Context 


Step I5 


How accurate 
are the data? 


How often has this threat 
occurred in the past? 


Somewhat 
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Threat Context 


Risk Profile Worksheet for Systems: Other 


Other Problems 


What additional notes about each threat do you want to record? 
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Step 16 


Other Problems Areas of Concern 
Power Supply Problems 


Give examples of how power 
supply problems could 
threaten this system. 


Telecommunications Problems 


Give examples of how 
telecommunications problems 
could threaten this system. 


Third-Party Problems 


Give examples of how third- 
party problems could threaten 
this system. 


Natural Disasters 


Give examples of how 
natural disasters could 
threaten this system. 
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Areas of Concern 


Power Supply Problems 


Telecommunications Problems 


Third-Party Problems 


Natural Disasters 
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Other Problems (cont.) Basic Risk Profile 


Step 12 Step 22 
Threat Impact Values 
For which branches is there a non-negligible possibility of a threat to What is the potential impact on the 
the asset? Mark these branches on the tree. organization in each applicable area? 


For which of the remaining branches is there a negligible possibility or 
no possibility of a threat to the asset? Do not mark these branches. 


Asset Actor Outcome 
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Basic Risk Profile 


Step 24 


Probability 


How likely is the threat to 
occur in the future? How 
confident are you in your 
estimate? 


Value Confidence 


Somewhat 
Not At All 


- 


ee 


Risk Profile Worksheet for Systems: Other 


Other Problems (cont.) 


Step 27 


Step 26 


Security Practice Areas Approach 


What is the stoplight status for each security practice area? | | What is your 
approach for 
addressing 
each risk? 


Strategic Operational 
oH) a wo 
e £ yw % & a & a 
co > Bo oo -s FE Pp SS & ~ = @ 
£2 = >» S & CE. FT @ EE 
|= @ £— & 3 S$. 2 6 gs BB B&B F 
| o * 
Fe Ps g & <sf e282 fF 9 
me HD & & Fw » 2 @ &§ BSB = Bg Par - 
¢2¢ 25 § FPERSE 2S EG Ss # 
aan nn O DO i ee a 9 & = 
=~ a 6 € w x 6 Ak = Se Se “<a-2 
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Other Problems (cont.) _ Threat Context 


How accurate 
are the data? 


How often has this threat 
occurred in the past? 


Somewhat 
Not At All 


; 

' 

' 

t 

* Py . ‘ 

disclosure times in years 

pom eteeet emomews ~ ' 

e ‘ 

. , ' . ’ ; , : 
physical configuration ; modification times in years ; 
el em me ee ee ee ee ed ce a we ee ee $ 
{ ( : 
‘ or arrangement of . : 
Daas g ' loss, destruction _______satimeess in years 
i buildings, offices, or — |----------------- - ! 
i ; { 4 
ope ; interruption times in years 
a Te ae am ‘ 
3 ! 
disclosure times in years 
ae ee a ac . yo 
t § : 
i modification times in years 
poe ete ee a eee ge = 
‘ a ' 
| loss, destruction times in years 
| omen : : 
1 interruption times in years 
RS Terre tt ee, 
; 
! : 
disclosure times in years 
1 modification ____ times in years 
fete gtk ss ae Se ete geet . 
t § ° P . iy 
- loss, destruction times in years 
! esa ’ : 
! interruption ____ times in _ years 
| ee we ame ee oe ee ee ' 
3 ! 
{ ° ° « ' 
disclosure times in years 
1 Wee fae, ~ ! 
; ' modification times in years 
Be ee we i ne oe ew ee ee es fz ‘ 
eee ! 

; loss, destruction times in years 

ete ae ee ' 

‘ ' 

. interruption times in years 
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Threat Context 


Risk Profile Worksheet for Systems: Other 


Other Problems (cont.) 


What additional notes about each threat do you want to record? 


pe i 
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Step 16 


Other Problems (cont.) Areas of Concern 


Physical Configuration Problems 


Give examples of how 
physical configuration of 
buildings, offices, or 
equipment could threaten this 
system. 


Give examples of how 


could threaten this system. 


Give examples of how 


could threaten this system. 


Give examples of how 


could threaten this system. 


eee 
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Risk Profile Worksheet for Systems: Other 


Areas of Concern 


Physical Configuration Problems 
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7 Network Access Paths Worksheet 


Phase 2 


Process 83 


Activity S3.1 


Select the system of interest for each critical asset (i.e., the system most closely related to the 
critical asset). 


Review paths used to access each critical asset, and select key classes of components related 
to each critical asset. 


Step 18a 
Step 18b 


Step 18c Determine which classes of components, both internal and external to the organization’s 
networks, are used by people (e.g., users, attackers) to access the system. 


Step 18d Determine where information from the system of interest is stored for backup purposes. 


Determine which classes of components are part of the system of interest. 


Determine which classes of components serve as intermediate access points (i.e., which 
components are used to transmit information and applications from the system of interest to 


people). 


Step 18e Determine which other systems access information or applications from the system of 
interest and which other classes of components can be used to access critical information or 


services from the system of interest. 
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Step 17 


System of Interest 


What system or systems are most closely related to the critical asset? 


Access Points 


Intermediate 
Access Points 


System of 
Interest 


Step 18a Step 18b 


Intermediate Access Points 
Which of the following classes of 
components are used to transmit 
information and applications from 
the system of interest to people? 


System of Interest 


Which of the following classes of 
components are part of the system 
of interest? 


Which classes of components could 
serve as intermediate access 


points? 


Servers {} Internal Networks 


Internal Networks () External Networks 


On-Site Workstations C} Others (list) 


Others (list) 


A 
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Network Access Paths Worksheet 


Note: When you select a key class of components, make sure that you 
also document any relevant subclasses or specific examples when 
appropriate. 


Access Points 


Data Storage 
Locations 


System Access 
by People 


Other Systems/ 
Components 


Step [8c Step 18d Step [8e 


System Access by People Data Storage Locations 


Other Systems and Components 


Which other systems access 
information or applications from the 
system of interest? 


From which of the following On which classes of 
classes of components can people components is information from 
(e.g., users, attackers) access the the system of interest stored for 


. 9 ? ° 
system of interest: backup purposes: Which other classes of components 


can be used to access critical 
information or applications from the 
system of interest? 


Consider access points both 
internal and external to your 
organization’s networks. 


On-Site Workstations (3 Storage Devices 


Laptops (} Others (list) 


PDAs/Wireless Components 


Home/External Workstations 


Others (list) 
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8 Threat Translation Guide 


Phase I 


Process S2 


Activity $2.3 


The Threat Translation Guide describes each branch of an asset-based threat tree. If you 
have difficulty understanding the types of threats represented by a branch, you can use this 
guide to decipher the meaning of that branch. 


Threat 
Translation 
Guide 


You will find asset-based threat trees for the following sources of threat: 


Source of Threat 


Human actors using network access 60-63 
Human actors using physical access 64-67 
System problems 68-71 


Other problems 


a 
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Human Actors Using Network Access 
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Description 
| A staff member without malicious intent who has legitimate 
| access to the computing infrastructure accidentally views 


| confidential information on an important system. 


A Annee eene yee et ai RY Peers SR eT 


os 
| A staff member without malicious intent who has legitimate 
| access to the computing infrastructure accidentally modifies 


information on an important system. 


Threat Translation Guide 


Example 


Incorrect file permissions enable a staff member to 
accidentally access a restricted personnel database. 


A staff member accidentally enters incorrect financial data 


| into a customer database. | 
5 | 


er ee et es re ay ee ee ea ee 
A staff member without malicious intent who has legitimate | A staff member deletes an important customer file by 


access to the computing infrastructure accidentally loses or 
| destroys information on an important system. 


A staff member without malicious intent who has legitimate 
access to the computing infrastructure accidentally 
| interrupts access to an important system. 


A staff member with malicious intent who has Jegitimate 
access to the computing infrastructure exploits that access to 

| deliberately view confidential information on an important 
system. 


access to the computing infrastructure exploits that access to | 


deliberately modify information on an important system. 


A staff member with malicious intent who has legitimate 
access to the computing infrastructure exploits that access to 
| deliberately lose or destroy information on an important 
system. : 


A staff member with malicious intent who has legitimate 
access to the computing infrastructure exploits that access to 
deliberately interrupt access to an important system. 


| mistake. : 


| A staff member who is not computer savvy inadvertently | 
| crashes an important system. | 


A staff member uses access to a restricted personnel | 
database to deliberately view information in that database 
that is restricted by policy. | 


| 


A staff member with access to design documents for a new | 
product deliberately deletes the files that contain those | 
design documents. | 


j 
j 
i 
i 
i 
i 


ceerrnerrey MRAP RRE RRS? MPARELS RE MEI Sipser teen sais 


| A staff member uses legitimate access to the computing 
| infrastructure to launch a denial-of-service attack on an 
{ important system. 


Ceneveresavepmermvemomerescnsscorerd 


 pereterseneanammanammans: 


ne 


CMU/SEI-2003-HB-003 Volume 6 


61 


OCTAVE-S V1.0 


Human Actors Using Network Access 
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Threat Translation Guide 


Description Example 
ee BE eC Oe ee eg ee Fe eng, eat ce” pee 
; An outsider without malicious intent gains access to your | Temporary employees are given access to your computing |: 
| computing infrastructure (legitimately or by accident) and —__ infrastructure to help with an increased workload. While | 
views confidential data on a system. | performing their job duties, one of them accidentally views | 


| confidential personnel data. 


An outsider without malicious intent gains access to your | Temporary employees are given access to your computing 


| 
computing infrastructure (legitimately or by accident) and | infrastructure to help with an increased workload. While | 
accidentally modifies information on a system. | performing their job duties, one of them accidentally | 


| : modifies important customer data. 


| An outsider without malicious intent gains access to your | Temporary employees are given access to your computing | 
| computing infrastructure (legitimately or by accident) and _—_ infrastructure to help with an increased workload. While 


| loses or destroys information on a system. performing their job duties, one of them accidentally loses 
| | or destroys financial data. 


An outsider without malicious intent gains access to your | Temporary employees are given access to your computing | 
computing infrastructure (legitimately or by accident) and infrastructure to help with an increased workload. While 
accidentally interrupts access to a system. performing their job duties, one of them accidentally crashes 
an important system. | 


erarrendarsstrnadanteveeees sone ser: 


peaomngnanestmmeccmnamney: 


| A corporate spy exploits vulnerabilities in the computing 


An attacker with malicious intent deliberately exploits . 
| infrastructure to gain unauthorized access to a key business | 


vulnerabilities in the computing infrastructure to view 
confidential information. system. The spy uses that access to view confidential 


customer information on the system. 


An attacker with malicious intent deliberately exploits A corporate spy exploits vulnerabilities in the computing 
vulnerabilities in the computing infrastructure to modify | infrastructure to gain unauthorized access to a key business 
information. ; | system. The spy uses that access to modify financial data on 
| the system. 


An attacker with malicious intent deliberately exploits | A corporate spy exploits vulnerabilities in the computing 
vulnerabilities in the computing infrastructure to lose or infrastructure to gain unauthorized access to a key business 


| destroy information. | system. The spy uses that access to lose or destroy a new 
| Product design on the system. | 


| A corporate spy exploits vulnerabilities inthe computing =| 
infrastructure to gain unauthorized access to an airline’s 


An attacker with malicious intent deliberately exploits | 
vulnerabilities in the computing infrastructure to interrupt | 


access to a system. scheduling system. The spy uses that access to crash the 


system and prevent real-time updates. | 


i 
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Threat Translation Guide 


Description Example 
—_——— a 
| A staff member without malicious intent accidentally views | A staff member accidentally sees confidential information 
| confidential information after gaining physical accesstoa | on (1) a colleague’s computer screen or (2) a printout on a 
| system, one of its components, or a physical copy of the : colleague’s desk. 
information. 


name nnee FE Ree rie repeats hate iA SASSAeTEE Reh earheet tine} —bsihiint MA hs cee R Sear ites st 


A staff member without malicious intent accidentally | _ A staff member modifies information by (1) accidentally 


modifies information after gaining physical access to a | altering information on a colleague’s computer while using 
system, one of its components, or a physical copy of the | it for another purpose or (2) accidentally taking a page of a 
information. printout on a colleague’s desk. 


A staff member without malicious intent accidentally loses | | A staff member loses or destroys information by (1) 
or destroys information after gaining physical access to a : accidentally deleting information from a colleague’s 
system, one of its components, or a physical copy of the == | computer while using it or (2) shredding a paper 


peewee th rere Patch SA NE taht AE AE ET HARARE LAOS Ree aT tsirheirritin SiS Rr intent ASA TTS STi AAP ASRe et 8 


A staff member without malicious intent interrupts access to | A staff member interrupts access to a system by (1) 

a system or information by accidentally using physical | accidentally crashing the system while accessing it froma . 
access to a system, one of its components, or a physical | colleague’ s computer or (2) locking the keys inside an office 
| copy of the information to prevent others from accessing the | | where a physical file is stored. 

system or information. 


let pbepenetecstreanacatadsseane neers: 


A staff member with malicious intent deliberately views | A staff member uses unauthorized access to a physically 
confidential information by breeching physical security and { restricted area of the building to deliberately (1) view 
accessing components of the computing infrastructure or a confidential information on a computer or (2) read a 
physical copy of the information. confidential memo lying on a desk. 


Ceeeiiiiewerie a Treteen tert 


A staff member uses unauthorized access to a physically 
restricted area of the building to deliberately (1) modify 

information on a computer or (2) modify a physical file 

lying on a desk. 


A staff member with malicious intent deliberately modifies 
information by breeching physical security and accessing 
components of the computing infrastructure or a physical 
copy of the information. 


Peretti ef trestisto ty 


information. ! accidentally taken from a colleague’s desk. | 


— 


 aareamemereinsenseatamee 


cemirnanbirnet Hine pagnes Ranannnsnemnerihttrhihhithh iit SA. TTe ree Sntinhinsees SAP Sy 


A staff member uses unauthorized access to a physically 
restricted area of the building to deliberately (1) delete 
information on a computer or (2) destroy a physical file 
lying on a desk. 


A staff member with malicious intent deliberately loses or 

destroys information by breeching physical security and : 
accessing components of the computing infrastructure or a 
physical copy of the information. | 


A staff member with malicious intent deliberately interrupts | A staff member uses unauthorized access to a physically 
access to an important system or information by breeching | restricted area of the building to (1) gain access to and then 


eer pn i i innit ll NE ee 


CMU/SEI-2003-HB-003 Volume 6 65 


physical security to a system, one of its components, or a deliberately crash an important business system or (2) jam 
physical copy of the information and using that physical | the door and prevent others from physically accessing the 
access to prevent others from accessing the system or | systems and information located in that area of the building. | 
information. = 
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Description 


! An outsider without malicious intent gains physical access 
to your computing infrastructure or a physical copy of 
information and uses that access to view confidential 
information accidentally. 


| An outsider without malicious intent gains physical access 
to your computing infrastructure or a physical copy of 
information and uses that access to modify information 


An outsider without malicious intent gains physical access 
| to your computing infrastructure or a physical copy of 
information and uses that access to lose or destroy 
information accidentally. 


An outsider without malicious intent gains physical access 
to your computing infrastructure or a physical copy of 
information and uses that access to accidentally prevent 
others from accessing the information. 


An attacker with malicious intent deliberately views 
confidential information by breeching physical security and 
accessing components of the computing infrastructure or a 
physical copy of the information. 


An attacker with malicious intent deliberately modifies 
information by breeching physical security and accessing 


An attacker with malicious intent deliberately loses or 

destroys information by breeching physical security and — 

accessing components of the computing infrastructure or a 
| physical copy of the information. 


An attacker with malicious intent deliberately interrupts 
access to an important system or information by breeching 
physical security to a system, one of its components, or a 
physical copy of the information and by using that physical 
access to prevent others from accessing the system or 
information. 


- 
maa eetwew mete we ee eee eee ee eee HOOPER BeBe eH owe ee eens HREOT EBB SOBFeEHwETDE He wee KF SHARE BHO BH BBB ee ewe eeeeweeereeueneeencaewen reece eceaeceeetaeavaenen aan eee enenedenwrencaoenweenee 


foe re ee ae ee ae ee ae 


components of the computing infrastructure or a physical 
| copy of the information. | system or (2) in a physical file. 


renner cence cree een tit RE TL AT A ERR A Tn I ens 


Threat Translation Guide 


Example 


ener sa aas semncescececs re tamer verite nt rrinbirhttichh thnitnthiihaail Site 


j 
A consultant is given access to a staff member’s office and | 
accidentally sees confidential information on (1) a staff 


j 
i 
| member's computer screen or (2) a printout on a staff 


member’s desk. 


was A ivanetmaweres thwirbint retb bi 


| A consultant is given access to the computer room and (1) 
: accidentally makes the wrong change to a configuration file 
on a server or (2) accidentally records the wrong 
i information in a maintenance log 


| accidentally. : 


een eemeenemenes meee ce rns 


A consultant configuring one of your servers is given access | 
i to the computer room and accidentally (1) destroys an | 

important electronic file or (2) throws away an important 

| piece of system documentation. | 


aaama ne rnhtead tered evan: 


fos 

| A consultant configuring one of your servers is given access 
i to the computer room and accidentally (1) crashes a system 
| while accessing it or (2) locks the keys to the computer 


| room inside it after he or she leaves. 


dcanaprontererereerrver sy 


A corporate spy poses as a member of the cleaning crew to | 
gain unauthorized physical access to a competitor’s site and | 
view confidential information either (1) on a key business | 
system or (2) in a physical file. | 


| 
| 


| A corporate spy poses as a member of the cleaning crew to 
| gain unauthorized physical access to a competitor’s site and 
modify financial information either (1) on a key business 


iA corporate spy poses as a member of the cleaning crew to 
| gain unauthorized physical access to a competitor’s site and 
| destroy customer information either (1) on a key business - 
| system or (2) in a physical file. 


; remeny 


A corporate spy poses as a member of the cleaning crew to 

gain unauthorized physical access to a competitor’s site and 
(1) deliberately crashes an important business system or (2) 
jams the door to prevent others from physically accessing 
the systems and information located in an area of the 


j 
Ls 
| J 
it 
| building. 
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System Problems 


Asset Actor Outcome 


=—eeeen ene ee eee ee 


disclosure 
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* Blank lines indicate unusual or extremely rare possibilities. 
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| permissions on certain files and directories. | 


Description Example* 

paseiintiaass Swen $$ nnn 
| A software defect results in disclosure of information to | A defect in a computer’s operating system changes file 
>. « . i . . Ad . i 
! unauthorized parties. i access permissions to permit world read and write 
| 

| 

i 


revetdethiipy RAAAAAE RAETETErEES mrET Erith ai TS ST TOSSES SAREE EIS 


* . > '’ ° i * * . i 
A software defect results in modification of informationon | A custom software application incorrectly performs 
| a system. | mathematical operations on data, affecting the integrity of 
‘ i 


i the results. 


ba eee ene reenter tener ven anesennneenrnetherirtstnesessestsenentn nsnserenetininsteyionssinnsanneennennnerwerseeteetttetnstasntaunemnrenerwrrvininisntnssetisstanuamanarateeanatt 


Rannnsnnen een nererrerertetirttinrthithis $ihtAARih Ss - EhHHh ities SAARC Rete? wine h yiSR eS tent Sree § AHHH ePS SMA 


A software defect results in the loss or destruction of A word processing application is known to crash computers | 
information on a system. i periodically because of a problem with a specific command | 
} sequence, destroying any information that was not saved. | 


senasenbereehHnterhre saacnnsnensmmrans-rewwbirtrinhnrmapammasrwras setentrrterivein airriirhnthtnts Ain Semmes sahere-tehtalett—-4--<ire inti fut i 


A software defect results in a system crash, preventing | A word processing application is known to crash computers 
access to the system. | periodically because of a problem with a specific command 
i sequence, preventing access to that computer. 


A system crashes for unknown reasons (i.e., it cannot be = | 
traced to a software defect, hardware defect, malicious code, | 
or actions by people), resulting in disclosure of information 
to unauthorized parties. | 
Saar 


A system crashes for unknown reasons (i.e., it cannot be A system crashes during a lengthy update of a financial 
traced to a software defect, hardware defect, malicious code, | database, corrupting the information in the database. 

or actions by people), resulting in modification of 

information on that system. 


etre tett 


A system crashes for unknown reasons (i.e., it cannot be i A customer database system frequently crashes, destroying 


traced to a software defect, hardware defect, malicious code, | any information that was not saved at the time of the crash. 
or actions by people), resulting in the loss or destruction of | 
information on that system. | 


An email server crashes, resulting in interruption of user | 
access to email. | 


A system crashes for unknown reasons (i.e., it cannot be 
traced to a software defect, hardware defect, malicious code, 
i or actions by people), resulting in interruption of access to 
that system. 


aban tated thr btithebeeteen +h hte beahiie apeot! 
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(virus, worm, Trojan 
horse, back door) 


ee edie 


* Blank lines indicate unusual or extremely rare possibilities. 
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Description Example* 


A hardware defect results in disclosure of information to --- 
unauthorized parties. 


Oe Raengns MaRS eerNTT ee RAALneaibah tbh h aA Aeoe eee Te om, 


itt ns rh RRonTerecittedbias manana, 


cern LN 
A hardware defect results in modification of information on | A disk drive develops a hardware problem that affects the 
a system. | integrity of a database that is stored on the disk. 


gna mAaaTEs ewes MEARASE AARSOS RANEY bert Spec Ran meant wir 


| A hardware defect results in the loss or destruction of i A disk drive develops a hardware problem that ends up 
| destroying the information on the disk. Files can be 


Seemed 


information on a system. 
| | retrieved only from backups. | 


ere Lennar trie} Rin AE SAE TSA SS SM # SR TI APRA RAY 


A hardware defect results in a system crash, preventing | A disk drive develops a hardware problem, preventing 
access to the system. | access to any information on the disk until the problem is 
| corrected. | | 


i 


A system is affected by malicious code (virus, worm, Trojan : A back door on a system enables unauthorized people to 
horse, back door) that enables unauthorized parties to view | access the system and view customer credit card 
information. ; information on that system. 


A system is affected by malicious code (virus, worm, Trojan A system is infected with a virus that modifies a process 
horse, back door) that modifies information on that system. | control application on the computer’s disk drive. 


A system is affected by malicious code (virus, worm, Trojan A system is infected with a virus that deletes all information 


horse, back door) that deletes information on that system. | on the computer’s disk drive. 


gen 


A system is affected by malicious code (virus, worm, Trojan A system is infected with a virus that is spread via email, 
horse, back door) that results in the system crashing. 


i slowing network traffic and creating a denial-of-services 
| attack. 


ae 
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* Blank lines indicate unusual or extremely rare possibilities. 
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Description Example* 


i TE HLS TT pai. ATT emmrerer iis Heaaagpocaare rerrrrinnimeritinhisiraserOrETETrn ninth ‘SAAROwerrATneET= in IMATE thanbnAnnenasren sere rrnmrbiininis Mana sone rerhenyastnsmnnunnnnnnErsrvurrrueratirsnnnaenasoaes i reunrtayetty¢epsnseerenis st bevevesne 


pe i 
| Problems with the power supply lead to disclosure of boc 
| information to unauthorized parties. 


Problems with the power supply lead to modification of | --- 
| information on a system. | | 


a Amana neanennereeee tre minnat DR nOGed BORRS REET RENEE bitin! pe TEEeS ert hy 


Problems with the power supply lead to loss or destruction iA power outage results in loss of any information that was | 


| of information on asystem.. | not saved at the time of the outage. | 
ores esaennanerenrntn ste sngemnarmnrsnanemenerrenrsseasanasstmna mare pnsisosscnssnnarenertevtsitatensswetnrerrrrrressSanearerrar intra TERETGRITtLT  et 
Problems with the power supply lead to interruption of | A power outage prevents access to all key business systems. | 
access to a system. | : | 

i cil aaua i licnsadasa cibbibtcovtep jatanutanrensceaasiceiod. 

Unavailability of telecommunications services leads to --- | 


disclosure of information to unauthorized parties. 


Unavailability of telecommunications services leads to 
modification of information on a system. 


Unavailability of telecommunications services leads to loss 
or destruction of information on a system. 


nena nanaagahanns be 
i] 
i] 
( 
cartieatit pmenproassntonens 


The unavailability of the telecommunications link prevents | 


Unavailability of telecommunications services leads to 


interruption of access to a system. | access to a key business system located at a remote site. 


i 
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* Blank lines indicate unusual or extremely rare possibilities. 


ee SINT 
74 CMU/SEI-2003-HB-003 Volume 6 


ane ena eaneueee eee et see ese nwa e eevee uvueetemaete Bs Ot tdetdeoewewenewanaeen eae eeze een en ee ee new eoeweewe eee een aonaeeseeese er zee eeceeeceneewwree ee eee ee 


Threat Translation Guide 


Description Example* 


Problems with services provided by third parties (e.g., A staff member from a third-party service provider views =i 
maintenance of systems) lead to disclosure of information to | confidential information on a key business system that is 
unauthorized parties. i maintained by that service provider. 


eee ee iia inh eel  ETEnS TERAAE EES SS OT Terentia iti TET TE ita SALAS ERTS ETS SAL LSS TY 


Problems with services provided by third parties (e.g., | Problems at a third-party service provider lead to the 
maintenance of systems) lead to modification of information | modification of information on a key business system 
| on a system. located at that provider’s site and maintained by the 

| : provider. | 


i : : i 


rt 


Problems with services provided by third parties (e.g., Problems at a third-party service provider lead to the | 
maintenance of systems) lead to loss or destruction of | destruction of information on a key business system located | 
information on a system. | at that provider’s site and maintained by the provider. | 


Problems with services provided by third parties (e.g., A system maintained by a third-party service provider and 
maintenance of systems) lead to interruption of access to a | located at the provider’s site is unavailable due to problems | 
| system. ! created by that provider’s staff. 


: | | 
Natural disasters (e.g., flood, fire, tornado) lead to | People at the site of a tornado see confidential memos that 


i disclosure of information to unauthorized parties. | are dispersed among the debris. | 


Natural disasters (e.g., flood, fire, tornado) lead to | --- 
modification of information. 


; 
The flooding of a basement area destroys paper records that | 


are stored there. | 


Natural disasters (e.g., flood, fire, tornado) lead to loss or 
destruction of information. 


Mager ehinavens ei ednen tens: 


| The flooding of a computer room in the basement of a 
i building prevents access to systems in that room. 


Natural disasters (e.g., flood, fire, tornado) lead to 
interruption of access to a system. 


scocansctumscesanssciod 
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Description Example* 
tt 
| The physical configuration or arrangement of buildings, : The layout of an office workspace enables anyone in the 
| offices, or equipment leads to disclosure of information to | area to view customer credit card information displayed on 
| unauthorized parties. : computer screens. | 
| AES cept oc eS CO ee ASE I IE OE ee EE Tire Pa seveeewrveve sag=ssssnnnasesunenanensssnvuneeeeer+t wastrerverter-vbtasuiena-aauastusssoumervennernbuivetwrveeséreet svi aaayanamsnentceuaneesnauenrwevesorea | Herttteates¢ouannunasaqeevounanune 


pine ES AEE hit MR Menertt enh Si i ET rEens vinin arias Ae Larn meneame nenaee Petsimwirhinhth Hurts jt AA 

FY . 
t 

4 


| The physical configuration or arrangement of buildings, oe | 
offices, or equipment leads to modification of information — 
on a system. 


un ee ee ee eR es = oN 

| The physical configuration or arrangement of buildings, [ss | 
offices, or equipment leads to loss or destruction of | 

information on a system. | 


The physical configuration or arrangement of buildings, 
offices, or equipment leads to interruption of access to a 
system. 
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